An embarrassingly simple security breach in Microsoft account logins (including Office 365) has been fixed but it took Microsoft way too long to do anything.
It was possible for someone to take over the logins of Microsoft account users to get login details including passwords. There’s over 400 million Microsoft accounts including anyone with Office 365.
The problem has been fixed, there’s no risk to Microsoft account or Office 365 users. But it was lucky that Sahad Nk found the bug first, not a criminal hacker.
We’ll explain how Microsoft dropped the ball in a moment – it’s absurdly simple and makes us wonder about if Microsoft’s talk about security is at all sincere.
Security fix took too long
Microsoft were told about this problem in June 2018 but took over FOUR months before finally fixing it in November!
Quote from SafetyDetective.com
There’s no excuse for it taking that long. Some security bugs need time to trace, fix and test – but this wasn’t one of them.
The core problem (the DNS record for a Microsoft sub-domain) could have been fixed in four minutes … let alone four months. The rest of the coding bugs (using wildcard domain mapping) should have been fixed in much less time too.
About the Microsoft account security bug
It started with a Microsoft sub-domain success.office.com . Microsoft owns office.com and uses various sub-domains for its services. Success.office.com was being used by a Microsoft app as the site to connect into Microsoft’s Azure services. The app was dropped but the sub-domain was left live and unguarded.
Sahad Nk successfully hijacked success.microsoft.com to a web site he controlled. That site could collect any information sent to it and that includes the login token that authenticates a Microsoft account.
That was Microsoft’s core error. They failed to properly secure one of their own domains.
When you login with a Microsoft account, all logins are approved by a single domain which allows redirection to an approved site like microsoft.com, outlook.com or office.com and, crucially, sub-domains.
The redirection happens with an oAuth token passed along which identifies the user and verifies that the login is OK. That token can be misused in the wrong hands.
A hacker could make a link like this with the ‘wreply’ pointing to success.office.com :
A non-working link so don’t bother trying it!
Microsoft account logins should only redirect (wreply) to approved domains. It seems that Microsoft took the easy option and allowed redirects to any sub-domain (eg *.office.com) instead of specifying which sub-domains are safe.
Since success.office.com was controlled by someone outside Microsoft, a customer authorizing token could be sent to a hacker. The hacker uses that token to access customers account, email, OneDrive documents and more.
Microsoft’s second error was allowing a redirect to an insecure sub-domain either because they didn’t remove success.office.com from the approved ‘wreply’ list or had a ‘lazy’ wildcard instead.
For a lot more detail see https://www.safetydetective.com/blog/microsoft-outlook/
Good guys got there first…
Thankfully, the bug was reported to Microsoft first. But the long delay before fixing this serious but easily fixable security lapse calls into question Microsoft real interest in customer security and privacy. This bug, reported in July 2018, should have been fixed.
Maybe Microsoft fixed the problem more quickly? If so, why wait so long before going public? Delaying the announcement just makes Microsoft look bad.